SonarQube Vendor Assessment Questions

As part of our standard due diligence when introducing new software to our organization, we need answers to some general questions around SonarQube’s security controls.

  • Version: SonarQube 8.9
  • Goal: Evaluate security risk of adopting SonarQube
  • Tried: Had email conversations with account representative and scoured online documentation


  1. Do you have an Information Security Management program in place? We ask this to confirm your organization defines and implement general security practices

  2. Do you have a business continuity and disaster recovery plan? We ask this to assess the risk of us ending up with a discontinued product

  3. Do you have a vulnerability management program in place for your applications? We ask this to assess the likelihood of us using a product containing security vulnerabilities.

  4. Do you hire a third party to perform external Penetration testing? If so, how often are these tests performed? We ask this to assess the security of your product

  5. Does your organization perform annual risk or security assessments? We ask this to get greater confidence in your organization’s general security practices

  6. Do you have a patch management process for your solution? We ask this to assess the difficulty/ease of upgrading to versions with fixes to newly discovered security vulnerabilities